sanitize proxied remote content response

re-construct the Response object to make sure no strange headers slip
into our own response.
This commit is contained in:
Peter Cai 2020-04-09 20:11:48 +08:00
parent d8edb51d6a
commit b2d6678405
No known key found for this signature in database
GPG Key ID: 71F5FB4E4F3FD54F
2 changed files with 18 additions and 1 deletions

View File

@ -23,6 +23,7 @@ wasm-bindgen-futures = "0.4"
web-sys = { version = "0.3", features = [
"Crypto",
"Headers",
"ReadableStream",
"Request",
"RequestInit",
"RequestRedirect",

View File

@ -54,6 +54,12 @@ extern "C" {
fn fetch(req: &Request) -> Promise;
}
macro_rules! get_header {
($headers:expr, $name:expr) => {
$headers.get($name).internal_err()?.ok_or(Error::InternalError())?
};
}
// A caching proxy for images inserted into articles
// to protect user's privacy and accelerate page load
async fn proxy_remote_image(req: Request, url: Url) -> MyResult<Response> {
@ -74,7 +80,17 @@ async fn proxy_remote_image(req: Request, url: Url) -> MyResult<Response> {
RequestInit::new()
.method("GET")
.redirect(RequestRedirect::Follow)).internal_err()?;
Ok(JsFuture::from(fetch(&new_req)).await.internal_err()?.into())
let remote_resp: Response = JsFuture::from(fetch(&new_req)).await.internal_err()?.into();
let remote_headers = remote_resp.headers();
Response::new_with_opt_readable_stream_and_init(
remote_resp.body().as_ref(),
ResponseInit::new()
.status(remote_resp.status())
.headers(headers!{
"Content-Type" => &get_header!(remote_headers, "content-type")
}.as_ref())
).internal_err()
}
async fn default_route(_req: Request, url: Url) -> MyResult<Response> {